An interesting piece from Workplace Daily Law:The UK’s largest information security firm, Shred-it, has warned that SMEs in the UK are putting their own businesses at risk and could also be damaging larger firms they supply services to by not taking sufficient care of confidential data. Its new research reveals that SMEs are not taking enough care when managing and disposing of documents and hard drives, and Shred-it has urged larger businesses in the UK to help SMEs they work with to improve their information security measures in order to maintain the integrity of their supply chain. Commenting on its findings, Robert Guice, Vice President Shred-it EMEA, said: “It’s good business sense for larger companies to ask whether their suppliers have a data protection partner and an information security system in place – not only to prevent sensitive information being lost by a third party but also because the financial and reputational damage of a breach could put that supplier out of business and cause havoc in the supply chain.” This, the third annual ‘Security Tracker’, also suggests that despite the threat of severe fines and reputational damage, SMEs still do not feel that a data breach would have a material impact on their business. Mr Guice added:

“SMEs continue to hugely underestimate the potential cost of a data breach to them. In terms of financial loss, the Information Commissioner’s Office in the UK can fine companies up to half a million pounds, enough to send many companies into insolvency. “We believe that smaller companies maybe over-estimating the costs involved in making sure confidential information is kept safe.” The Shred-it survey also revealed that two in every five large businesses prosecuted for a data breach have suffered losses of more than £500,000 and that the average fine is approximately £150,000. Mr Guice continued: “Whilst larger companies may be able to absorb this cost, SMEs risk a huge hit to their bottom line and a tarnished reputation which can impact relationships with customers and other business partners.” According to Shred-it, there is a worrying gap between the procedures in place between smaller and larger companies. It stated that while companies with revenue over £1m are eight times more likely to use a professional shredding company to dispose of their sensitive documents, 37% of small businesses in the UK have no information security management system in place. Furthermore, the survey revealed that 28% of small business owners have never provided any information security training to their employees. Another key finding of the research was that 77% of larger businesses have an employee directly responsible for managing information security issues at management level (66%) or board level (11%). In comparison, only 48% of SMEs do.